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REMARKS 

Claims 2 and 18 have been amended for clarity. No other claim has been amended, 
added, or deleted. No new matter has been added. Upon entry of the above amendments, claims 
2, 4-14 and 16-21 will remain pending. 
Claim Rejections - 35 U.S.C. §103(a) 

Claims 2, 4-14 and 16-21 stand rejected under 35 U.S.C. §103(a) as allegedly being 
unpatentable as obvious over Lin et al. (US 6,405,250) (hereinafter "Lin") in view of Anderson 
et al. (US 2003/0002436) (hereinafter "Anderson"). This rejection is traversed. 

The claimed invention relates to a system and corresponding method for detecting the 
state of a computer network. As set forth in amended claim 2, the system includes: 



a plurality of distributed agents disposed in said computer network, each said 
agent comprising: 

data collection means for passively collecting, monitoring, and aggregating data 
representative of activities of respective nodes within said computer network; 

means responsive to the data from the data collection means for analyzing said 
data to develop activity models representative of activities of said computer 
network in a normal state and activities of said computer network in an abnormal 
state as a result of intrusions, infections, scams and/or other suspicious activities 
in said computer network; and 

means for comparing collected data to said activity models to determine whether 
said computer network is in said normal state or said abnormal state at different 
times and to dynamically update said activity models based on said collected data, 

wherein said analyzing means performs a pattern analysis on the collected data to 
identify patterns in the collected data representative of suspicious activities and 
said comparing means compares the results of the pattern analysis of data 
collected by an agent to the results of pattern analysis of data collected by 
analyzing means of other agents to identify similar patterns of suspicious activity 
in different portions of the computer network. 

Claim 18 recites a corresponding method of detecting the state of a computer network. Such a 
system and method is not taught or suggested by Lin and Anderson taken separately or together. 
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In rejecting the claims, the examiner has now reversed the ordering of the references to 
rely upon Lin as the primary reference with Anderson as the secondary reference. Applicant 
submits that this change of reliance upon the teachings does not change the fact that the 
teachings of Lin and Anderson together do not teach or suggest the claimed system and method. 
The rejections of claims 2, 4-14, and 16-21 are again traversed. 

Lin discloses a network management system that passively monitors and manages 
network elements to formulate behavior state transition models to facilitate fault diagnosis and 
disaster avoidance. Lin captures explanations of why the network moves from one state to 
another based on a causal function h of all network elements representing whether a cause is 
dependent on another cause (column 4, lines 65-67). However, there is no indication that such 
state transitions are based on detecting patterns of suspicious activity as claimed as that would 
require the analysis of the correspondence of several different elements in a recognizable pattern. 
Moreover, Lin specifically teaches away from the claimed methods by noting that there is "no 
way" for Lin's network management system to "passively observe" the behavior of a network 
element without the cooperation of the network element (column 6, lines 12-23). 

Lin also discloses that the network management system includes a trend analyzer 402 that 
predicts trends in future network transitions. To accomplish this, trend analyzer 402 compares 
newly received parameter values of the network elements against previous values for the 
network elements to determine how the values are changing. However, as acknowledged by the 
examiner, Lin does not disclose detecting intrusions, infections, scams or other suspicious 
activities that require analysis to recognize. Applicant further submits that Lin does not teach 
performing "a pattern analysis on the collected data to identify patterns in the collected data 
representative of suspicious activities" or comparing "the results of the pattern analysis of data 
collected by an agent to the results of pattern analysis of data collected by analyzing means of 
other agents to identify similar patterns of suspicious activity in different portions of the 
computer network." For the latter teachings, the examiner cites to Anderson. 

As noted in a previous response, Anderson teaches the use of sensors 104 to collect 
network traffic data. Some or all of the sensors 104 may be integrally disposed with routing 
devices 106. One or more directors 102 (Figure 3) include an analyzer 304 and a regulator 306. 
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As described in paragraph [0045] of Anderson, analyzer 304 analyzes the network traffic data 
from the sensors 104 and alerts regulator 306 which determines where and what actions to be 
taken. As noted in paragraph [0022] of Anderson, each director 102 is assigned responsibility 
for a subset of sensors 104 and selectively activates/deactivates the sensors 104 in addition to 
determining whether the network link of interest is suspicious of being abused or misused (for 
example, the source addresses of the network traffic routed over the network link of interest are 
even layered on top of the normal traffic pattern; see paragraph [0034]). 

In rejecting the claims over Lin and Anderson, the examiner alleges that Anderson 
teaches receiving network traffic and determining whether the network link of interest is "at least 
suspicious of being abused or misused." As disclosed in paragraph [0032] of Anderson, director 
102 determines whether a network link is being misused by comparing the network traffic 
pattern depicted by the collected descriptive data against a set of "user-defined" thresholds for a 
"plurality of traffic pattern metrics." However, Anderson says nothing of comparing the 
collected data to "activity models representative of activities of said computer network in a 
normal state and activities of said computer network in an abnormal state as a result of 
intrusions, infections, scams and/or other suspicious activities in said computer network" as 
claimed. Anderson also does not teach performing "a pattern analysis on the collected data to 
identify patterns in the collected data representative of suspicious activities" or comparing "the 
results of the pattern analysis of data collected by an agent to the results of pattern analysis of 
data collected by analyzing means of other agents to identify similar patterns of suspicious 
activity in different portions of the computer network" as claimed. 

As previously noted, Anderson does not teach comparing the results of the pattern 
analysis of data collected by one agent to the results of pattern analysis of data collected by 
analyzing means of other agents to "identify similar patterns of suspicious activity in different 
portions of the computer network" as claimed. Neither sensors 104 nor directors 102 are 
disclosed as performing any pattern analysis as claimed. In particular, Anderson does not teach 
that one director 102 compares the results of pattern analysis of data from a set of sensors 104 
controlled by that director with the results of pattern analysis of data from another set of sensors 
controlled by another director to "identify similar patterns of suspicious activity in different 
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portions of the computer network" as claimed. On the contrary, any "analysis" performed by the 
director 102 is for determining whether a network link of interest is "suspicious of being abused 
or misused." Anderson provides no way to extrapolate this finding to determine the status of the 
entire computer network as claimed. 

Accordingly, neither Anderson nor Lin teaches a system that detects the state of a 
computer network, where the system comprises a "plurality of distributed agents" disposed in a 
computer network, where "each said agent" includes "comparing means" that "compares the 
results of the pattern analysis of data collected by an agent to the results of pattern analysis of 
data collected by analyzing means of other agents to identify similar patterns of suspicious 
activity in different portions of the computer network" as claimed in independent claims 1 and 
18. No such plural agents with such features arc taught by Anderson and/or Lin. Neither the 
network management agent 450 or network management system 120 of Lin nor directors 102 of 
Anderson are disclosed to have such capabilities. The examiner's conclusions to the contrary are 
not supported by the teachings of Anderson or Lin. 

For at least these reasons, even if the teachings of Anderson and Lin could have been 
combined by one skilled in the art as the examiner alleges, the claimed system and method 
would not have resulted. The rejection of claims 2 and 18 as being unpatentable as obvious over 
Lin in view of Anderson is thus believed to be improper and withdrawal of this rejection is 
respectfully solicited. Claims 3-14, 16-17, and 19-21 are believed to be allowable as well at least 
by virtue of their dependencies upon claims 2 and 18, respectively. 
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Conclusion 

For the reasons set forth herein, claims 2, 4-14 and 16-21 are believed to be in condition 
for allowance. A Notice of Allowability is solicited. 
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